Introduction

In the world of system administration, effective log management is crucial for troubleshooting, security monitoring, and ensuring system stability. Logs provide valuable insights into system activities, errors, and security incidents. Ubuntu, like most Linux distributions, relies on a logging mechanism to track system and application events.

One of the most powerful logging systems available on Ubuntu is Rsyslog. It extends the traditional syslog functionality with advanced features such as filtering, forwarding logs over networks, and log rotation. This article provides guide on managing system logs with Rsyslog on Ubuntu, covering installation, configuration, remote logging, troubleshooting, and advanced features.

Understanding Rsyslog

What is Rsyslog?

Rsyslog (Rocket-fast System for Log Processing) is an enhanced syslog daemon that allows for high-performance log processing, filtering, and forwarding. It is designed to handle massive volumes of logs efficiently and provides robust features such as:

• Multi-threaded log processing

• Log filtering based on various criteria

• Support for different log formats (e.g., JSON, CSV)

• Secure log transmission via TCP, UDP, and TLS

• Log forwarding to remote servers

• Writing logs to databases

Rsyslog is the default logging system in Ubuntu 20.04 LTS and later and is commonly used in enterprise environments.

Installing and Configuring Rsyslog

Checking if Rsyslog is Installed

Before installing Rsyslog, check if it is already installed and running with the following command:

systemctl status rsyslog

If the output shows active (running), then Rsyslog is installed. If not, you can install it using:

sudo apt update
sudo apt install rsyslog -y

Once installed, enable and start the Rsyslog service:

sudo systemctl enable rsyslog
sudo systemctl start rsyslog

To verify Rsyslog’s status, run:

systemctl status rsyslog

Understanding Rsyslog Configuration

Rsyslog Configuration Files

Rsyslog’s primary configuration files are:

• /etc/rsyslog.conf – The main configuration file

• /etc/rsyslog.d/ – Directory for additional configuration files

Basic Configuration Syntax

Rsyslog uses a facility, severity, action model:

FACILITY.SEVERITY  ACTION

• Facility: Defines the type of log (e.g., auth, cron, daemon, mail, user, syslog)

• Severity: Defines the importance level (e.g., debug, info, warning, error, critical)

• Action: Defines where logs should be stored or forwarded

Example:

authpriv.*    /var/log/auth.log
*.info;mail.none;authpriv.none;cron.none    /var/log/syslog

Common Logging Directives

• *.*: Logs all facilities and severities

• cron.*: Logs all cron jobs

• authpriv.*: Logs authentication messages

Managing Log Files with Rsyslog

Default Log Locations

Ubuntu logs are typically stored in:

• /var/log/syslog: General system logs

• /var/log/auth.log: Authentication logs

• /var/log/kern.log: Kernel logs

• /var/log/dmesg: Boot logs

Custom Log File Configuration

To store logs in a custom file, edit /etc/rsyslog.conf and add:

local7.*    /var/log/custom.log

After editing, restart Rsyslog:

sudo systemctl restart rsyslog

Log Rotation with Logrotate

To prevent log files from growing indefinitely, Ubuntu uses logrotate. Rsyslog integrates seamlessly with it via /etc/logrotate.d/rsyslog.

To configure log rotation, edit /etc/logrotate.d/rsyslog and modify:

/var/log/syslog
{
    rotate 7
    daily
    compress
    missingok
    notifempty
}

This configuration:

• Keeps logs for 7 days

• Rotates logs daily

• Compresses old logs

Apply changes by running:

sudo logrotate -f /etc/logrotate.conf

Remote Logging with Rsyslog

Why Use Remote Logging?

Remote logging is essential for:

• Centralizing logs from multiple systems

• Enhancing security by preventing local tampering

• Making it easier to analyze logs across a network

Configuring Rsyslog as a Log Server

To receive logs from remote clients, configure Rsyslog as a server. Edit /etc/rsyslog.conf and uncomment:

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

Restart Rsyslog:

sudo systemctl restart rsyslog

Sending Logs to a Remote Server

On a client machine, configure Rsyslog to forward logs:

*.*    @192.168.1.100:514   # Send logs via UDP
*.*    @@192.168.1.100:514  # Send logs via TCP

Restart Rsyslog on the client:

sudo systemctl restart rsyslog

Monitoring and Troubleshooting Logs

Viewing Logs in Real-Time

Use the following commands to view logs:

tail -f /var/log/syslog
journalctl -f

Debugging Rsyslog Issues

To check Rsyslog errors:

sudo journalctl -u rsyslog --no-pager

To enable debug mode, edit /etc/rsyslog.conf:

$DebugLevel 2

Restart Rsyslog:

sudo systemctl restart rsyslog

Advanced Rsyslog Features

Logging to a Database

Rsyslog can log data into MySQL or PostgreSQL using the ommysql module:

module(load="ommysql")
*.* :ommysql:DBServer,DBUser,DBPassword;DBTable

Using Rsyslog with Logstash and Graylog

To integrate with Logstash or Graylog, configure Rsyslog to output logs in JSON format:

module(load="mmjsonparse")
*.*  /var/log/json-logs.log

Conclusion

Rsyslog is an incredibly powerful logging tool that enables effective log management, filtering, and remote logging. By mastering its configurations, log rotation, and troubleshooting techniques, you can ensure seamless log monitoring on Ubuntu. Whether used for security audits or performance analysis, a well-configured Rsyslog setup is invaluable.